AD RMS Cryptographic Modes

Updated: March 2, 2012

Applies To: Windows Server 2008 R2 with SP1

There are two cryptographic modes that are available to Active Directory Rights Management Services (AD RMS) deployments with servers running on Windows Server 2008 R2 with Service Pack 1. When AD RMS is first installed Cryptographic Mode 1 is in use. In order to use the higher Cryptographic Mode 2, specific updates must be applied and administrative commands run. This document describes the cryptographic modes available to AD RMS. This document also describes the software prerequisites and administrative commands to enable Cryptographic Mode 2. The document consists of the following major sections.

Cryptographic Mode 1 is the original AD RMS cryptographic implementation. It supports RSA 1024 for signature and encryption, and SHA-1 for signature. This mode continues to be supported by all current versions of AD RMS in release.

Cryptographic Mode 2 is an updated and enhanced AD RMS cryptographic implementation. It supports RSA 2048 for signature and encryption, and SHA-256 for signature.

You should use a three phased approach transition to Cryptographic Mode 2. The recommended phases are described in the following list.

Preparation Phase

Upgrade all Active Directory Rights Management Services client computers to support Cryptographic Mode 2. Clients could be a mixture of AD RMS client computers running different operating systems that you will need to patch to achieve the required level of support.

Coordinate with your partners in other groups who you share AD RMS protected content with and agree on the dates of the checkpoints. Depending on your deployment the following preparations might also be required:

If you have servers connected with a TUD, all servers involved must be updated and move to Cryptographic Mode 2 at the same time. See Enabling Cryptographic Mode 2 for TUDs in this document for more information.

If you have servers connected with AD FS, the servers do not have to be updated, however, all clients in both forests must be upgraded.

Upgrade all AD RMS servers to support Cryptographic Mode 2. If you are running server computers that operate earlier versions of RMS available prior to Windows Server 2008 R2 SP1, you should upgrade them to Windows Server 2008 R2 SP1 first to achieve the required level of support.

Transition Phase

The transitioning phase can begin once all AD RMS servers and their clients are capable of Cryptographic Mode 2.

Before your AD RMS servers are updated to use Cryptographic Mode 2, you should first create their Cryptographic Mode 2 keys so that these keys can be imported as TUDs in another forest.

During this time, your content continues to be rights-protected using Cryptographic Mode 1.

Completing the Migration – Once all preparation is complete, the move to Cryptographic Mode 2 must be coordinated throughout the organization.

AD RMS client computers running on the supported operating systems require only the software updates applied in order to support Cryptographic Mode 2. Upgraded AD RMS client computers can continue to function with AD RMS servers that have not yet been upgraded Cryptographic Mode 2.

UpdateCryptographicModeOnly is the parameter that indicates that Cryptographic Mode 2 should be enabled. This is a one-way operation. Once complete, you cannot return the AD RMS server to Cryptographic Mode 1.

force is optional, which overrides the user prompt for confirmation.

NewCSPName indicates the cryptographic provider that you want to use for encryption. This is an optional setting and not needed if you are using password based protection. This can be any Cryptographic Mode 2 enabled cryptographic provider.

As an example, if the AD RMS service account is named ADRMSSvc, you would open a Windows PowerShell prompt and run the following command to update the AD RMS server to Cryptographic Mode 2:

If you are using a trusted user domain (TUD) between two AD RMS servers they both must be using the same cryptographic mode. For example, communication in support of a TUD relationship between a Cryptographic Mode 2 AD RMS server in one forest and a Cryptographic Mode 1 AD RMS server in another forest will not be possible. In order to keep the TUD relationship, administrators of both forests should communicate and coordinate the upgrade of the cryptographic mode.

Before either forest can move to Cryptographic Mode 2, all clients (or at least all clients that will exchange information), should be updated to support Cryptographic Mode 2.

Before an administrator moves one forest to Cryptographic Mode 2, they should generate the new SLC and export it.

The administrator in the partner forest should then import the updated Cryptographic Mode 2 SLC, which allows for the TUD to remain intact.

Once the decision is made to move to Cryptographic Mode 2, administrators in both forests should move AD RMS servers to Cryptographic Mode 2 at the same time. TUDs are unavailable for client information exchange until all the AD RMS servers in the forest are upgraded to Cryptographic Mode 2.

Path is a mandatory parameter that will take an AD RMS Admin drive as described in Using Windows PowerShell to Administer AD RMS (http://technet.microsoft.com/library/ee221079.aspx). If you change directory to the AD RMS drive, then you can use a period (.) for <ADRmsAdmin drive>.

SourceFile is the SLC file that was generated using the Initialize-RmsCryptoMode2 command.

DisplayName is the display name for the TUD relationship.

For example, if you want to import an SLC file named slcfabrikam.xml that is located on an AD RMS drive named FabrikamRMSCluster in the folder TrustPolicy and the trusted user domain display name is Fabrikam, you would run the following command at a Windows PowerShell prompt:

Trusted publishing domains (TPDs) are used to verify publishing licenses (PLs) for previously published content. No changes are required for TPDs in Cryptographic Mode 2. Cryptographic Mode 1 TPDs will continue to be honored for previously published content.

The following section contains anticipated questions and answers for administrators preparing to perform the upgrade from Cryptographic Mode 1 to Cryptographic Mode 2. The following sections cover each question and answer.

National Institute of Standards and Technology (NIST) issued Special Publication 800-57 recommends the use of 2048-bit RSA keys starting January 1, 2011. United States Federal agencies are required to comply with NIST recommendations and many private enterprises and other countries may choose to implement this recommendation. To learn more, see NIST Special Publications (http://csrc.nist.gov/publications/PubsSPs.html).

The experience for users varies depending on if the conditions that are present:

If the user is running an unpatched client device and receives Cryptographic Mode 2 content, they will receive an error. The error from the server will indicate that the cryptographic mode is erroneous. The exact message text displayed at the client depends upon the application returning the error. If this occurs, the client automatically restarts its boot strap process with the AD RMS server.

If the user has existing Cryptographic Mode 1 end user licenses (EULs), the client must contact the server to get a Cryptographic Mode 2 EUL for that content. As long as the user is online and able to reach the AD RMS server, this operation should occur automatically and not require user input.

Patches are available for AD RMS client computers only. RMS clients running Windows XP are not supported and must be replaced or upgraded to at least Windows Vista SP2 or later to be able to support the use of Cryptographic Mode 2. Specific patches to apply will depend on which version of the operating system is in use.

To support Cryptographic Mode 2 directly, you will need to update all AD RMS servers to Windows Server 2008 R2 SP1. You can choose to update servers to Cryptographic Mode 2 after you have completed operating system upgrades for all servers. Note that all clients must be updated before moving to Cryptographic Mode 2 and where multiple AD RMS servers are involved, all must move to Cryptographic Mode 2 at the same time. Otherwise, any servers that do not move to Cryptographic Mode 2 will be unable to participate until they are in the same mode.

In some situations, the purpose of TUDs can be replaced with a deployment of Active Directory Federation Services (AD FS), which will allow partners to continue to interoperate in different cryptographic modes. Under these circumstances, clients are able to use AD FS servers to access the updated AD RMS servers and changes in an AD FS supported trust are less involved.

If you are running a federated trust between forests using AD FS and have servers operating in two different cryptographic modes, the following considerations should help you to make appropriate planning decisions and understand the differences.

Before either forest in a federated trust relationship supported by AD FS can move to Cryptographic Mode 2, all clients (or at least clients that will exchange information) need to be updated to support Cryptographic Mode 2.

The AD RMS and AD FS servers in the second forest will not need to be patched or upgraded.

The AD RMS servers moving to Cryptographic Mode 2 do not need to share SLCs with the other forest.

Clients will get RACs from the publishing server, so this means that for cross-forest publishing, each client will get two independent RACs one from the publishing server in each forest.

Once a server is updated to Cryptographic Mode 2, all of the Cryptographic Mode 1 end user licenses (EULs) that each AD RMS client has licensed (either directly or via Exchange pre-licensing) will no longer be valid. In this situation, client devices will need to go back to the AD RMS server with the publishing license (PL), to obtain a Cryptographic Mode 2 EUL. As long as the user is online and able to reach the AD RMS server, this operation should occur automatically and not require user input.

All computers using AD RMS that run Microsoft Office 2007 and Microsoft Office 2010 installations must be updated. Cryptographic Mode 2 is not supported for versions of Microsoft Office prior to Microsoft Office 2007. If Microsoft Office installations are not updated they will continue to operate once computers are updated to Cryptographic Mode 2, however, ease of access to licensed content within Microsoft Office might be reduced by the additional inconvenience of error messages or dialog boxes that report on the client computer.

Exchange Server 2010 must be updated to support Cryptographic Mode 2. Exchange Server 2007 does not require updates in order to support Cryptographic Mode 2.

Microsoft Office SharePoint Server 2007 updating to Cryptographic Mode 2 should have no impact, although there might be a need to restart SharePoint services after updating your AD RMS deployment to use Cryptographic Mode 2.

No. To enable backwards compatibility for clients that have not been updated to support mode 2 cryptography would allow users with weaker keys to access content, introducing a weak link in the security chain and potentially defeating the benefits of the enhanced cryptographic strength that mode 2 provides for AD RMS.

Yes. A mode 1 trusted publishing domain (TPD) is automatically imported during the mode 2 update process. This enables all existing content that was originally published under mode 1 to continue to be accessible after update to mode 2.